56.50 - Data Accountability, Audit & Risk Management (AR)

Return to policies website

Policy Statement
TTUHSC El Paso shall implement effective controls to ensure that adequate privacy and security protection requirements are in place to minimize overall privacy and security risk.

Reason for Policy
The purpose of the Data Accountability, Audit & Risk Management (AR) policy is to enhance public confidence through effective governance, monitoring, risk management, and assessments to demonstrate that TTUHSC El Paso is complying with applicable privacy and security protection requirements and minimizing overall risk.

Entities Affected by this Policy are any and all users of Information Resources at TTUHSC El Paso.

What is Covered in this Policy?
The overall policy addresses the Institutional stance as it applies to TTUHSC El Paso in the areas of: the Governance & Privacy Program, Privacy Impact & Risk Assessment, Privacy Requirements for Contractors & Service Providers, Privacy Monitoring & Auditing, Privacy Awareness & Training, Privacy Reporting, Privacy-Enhanced System Design & Development, and Accounting of Disclosures.

It is the stance of TTUHSC El Paso to ensure that there are safeguards in place aligned with NIST 800-53 and TAC 202 to ensure the protection, integrity, and confidentiality of information resources at TTUHSC El Paso.

Who Should Read this Policy?
All individuals accessing, storing, viewing any TTUHSC El Paso information resources.

What Happens if I Violate this Policy?
Any person(s) violating TTUHSC El Paso Information Technology policies are subject to penalty under federal, state, and local legislation. Disciplinary actions are further outlined in HSCEP OP 56.50, Sanctions Policy.

 

AR-01: Governance & Privacy Program

TTUHSC El Paso:

  • Appoints an individual who is accountable for developing, implementing, and maintaining an organization-wide governance and privacy program to ensure compliance with all applicable laws and regulations regarding the collection, use, maintenance, sharing, and disposal of PII by programs and systems;
  • Monitors privacy laws for changes that affect the privacy program;
  • Allocates budget and staffing resources to implement and operate the organization-wide privacy program;
  • Develops a strategic organizational privacy plan for implementing applicable privacy controls, policies, and procedures;
  • Develops, disseminates, and implements operational privacy policies and procedures that govern the appropriate privacy and security controls for programs systems, or technologies involving PII; and
  • Updates privacy plan, policies, and procedures at least biennially.

TTUHSC El Paso IT security is required to assign a business unit or individual the responsibility for privacy governance

AR-02: Privacy Impact & Risk Assessment

TUHSC El Paso:

  • Establishes a privacy risk assessment process that assesses privacy risk to individuals resulting from the collection, sharing, storing, transmitting, and use of PII;
  • Conducts a Privacy Impact Assessment (PIA) for systems and programs in accordance with applicable law, OMB policy, and any existing organizational policies and procedures; and
  • Follows a documented, repeatable process for conducting, reviewing, and approving PIAs.
  • TTUHSC El Paso's Compliance and IT security department are responsible for working alongside the Compliance department to establish a privacy risk assessment program that includes a process for conducting Privacy Impact Assessments (PIA).

AR-03: Privacy Requirements for Contractors & Service Providers

TTUHSC El Paso includes privacy requirements in contracts and other acquisition-related documents that establish privacy roles and responsibilities for contractors and service providers.

The inclusion of privacy requirements in contracts is required to establish privacy roles and responsibilities for contractors and service providers.

AR-04: Privacy Monitoring & Auditing

TTUHSC El Paso monitors and audits privacy controls and internal privacy policy to ensure effective implementation.

TTUHSC El Paso's IT Security department is required to monitor and audit privacy controls and internal privacy policy to ensure effective implementation

AR-05: Privacy Awareness & Training

TTUHSC El Paso develops, implements, and updates a comprehensive training and awareness strategy aimed at ensuring that personnel understand privacy responsibilities and procedures.

TTUHSC El Paso's Compliance and IT Security department are required to develop, implement, and update training and awareness aimed at ensuring users understand privacy responsibilities and procedures.

AR-06: Privacy Reporting

TTUHSC El Paso develops, disseminates, and updates reports to senior management and other personnel with responsibility for monitoring privacy program progress and compliance.

TTUHSC El Paso's Compliance and IT Security department are required to develop, implement, and update reports for senior management and other personnel with responsibility for monitoring privacy program progress and compliance.

AR-07: Privacy-Enhanced System Design & Development

TTUHSC El Paso designs systems to enhance privacy by automating privacy controls.

TTUHSC El Paso's IT security personnel are responsible for designing systems to enhance privacy by automating security controls.

AR-08: Accounting of Disclosures

TTUHSC El Paso:

  • keeps an accurate accounting of disclosures of information held in each system of records under its control, including:
  • Date, nature, and purpose of each disclosure of a record; and
  • Name and address of the person or agency to which the disclosure was made;
  • Retains the accounting of disclosures for the life of the record or five years after the disclosure is made, whichever is longer; and
  • Makes the accounting of disclosures available to the person named in the record upon request 

TTUHSC El Paso's legal department is responsible for maintaining an accounting of disclosures.

All other IT Policies can be found at https://ttuhscep.edu/it/policies/ 

 

  1. TAC 202.74

 

Revised May 2018